Friday, November 11, 2016

Installing Microsoft Exchange Server 2016 Cumulative Update 3 throws the error: “… System.Security.Cryptography.CryptographicException: The certificate is expired.”

Problem

You’re attempting to install the latest cumulative update onto your Exchange 2016 server (Microsoft Exchange Server 2016 Cumulative Update 3 in this example) but notice that the process fails at:

Step 4 of 11: Mailbox role: Transport service

… with the following error message:

Error:
The following error was generated when "$error.Clear();
          Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
          if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
          {
            Install-AuthCertificate -DomainController $RoleDomainController
          }
        " was run: "System.Security.Cryptography.CryptographicException: The certificate is expired.
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

image

The installation does not proceed and you are forced to close the installer.  Attempting to run the installer again will restart the process but fail with the same error message.

Solution

One of the reasons why this error would be thrown is if you have an expired certificate still binded in IIS as shown in the following screenshot where one of the two https directories have the updated certificate but the other one does not:

image

To correct the issue, simply update the binding or bindings with a non-expired certificate and rerun the installation.  Note that it is ok to have the expired certificate in the local store of the server but it should not be binded.

No comments: